The arrest of two hackers seems to indicate that the days of hacking for fun are very much history. The Wall Street Journal reports the arrests, stating that AT&T acknowledged in June that a flaw in its website made it possible for iPad users’ email addresses to be revealed and said it had fixed the problem. If AT&T and all its resources can be the victim of web application abuse, then what chance do companies with less resources have?
Now the next question is were the alleged hackers white hat, black hat or somewhere in between? SC Magazine has a strong quote:
U.S. Attorney Paul Fishman said in a statement said that other researchers should think twice before using their technical skills for illegal purposes.
“Hacking is not a competitive sport, and security breaches are not a game,” U.S. Attorney Paul Fishman said in a statement. “Those who use technological expertise for malicious purposes take note: Your activities in cyberspace can have serious consequences for you in the real world.”
Here’s an article about a mass attack that recently hit about a million pages, including a couple on apple.com.
It’s the latest in a wave of automated SQL injection attacks that compromise Web site databases and inject a hidden iframe into Web pages – the iframe loads malware from a third party domain, compromising the sites’ users.
Secure development experts cluck at attacks like this – SQL injection takes advantage of insufficient input validation in application code, a well understood developer error. It can be stamped out over time, but it’s still a big problem today. These attackers likely found a SQL injection vulnerability in a commonly used piece of server software, tailored a single-request attack for it, and sucker-punched millions of sites at once to see which ones would fall. It’s hard to defend against that.
It’s also interesting that input filtering at the gateway couldn’t really block this. The SQL was heavily encoded. Signature-based firewalls can’t reliably block this kind of malicious request without blocking many valid requests as well.
So what can be done? Lots. First, a gateway can be a lot more sophisticated about how it checks application input. A broad signature match may not be enough evidence to block a request, but it is a clear indicator that the request is suspicious. Delaying the request and performing additional analysis probably makes sense. It may slow down a small set of valid (but unusual) requests, but it will do a much better job of identifying an injection attack reliably.
Second, SQL injection isn’t really the end, just the means. If you can’t always prevent a SQL injection attack, you can detect that one has taken place and respond to it quickly. The sudden existence of an iframe linking to an unknown domain in your pages is something you want to know about right away. You also probably want to strip it out until you can learn more. A gateway that looks at HTTP responses in the right context can provide that visibility.
Mykonos Software’s Director of Product Management, Al Huizenga presented at the Cornerstones of Trust event in Silicon Valley. The event held by ISSA (Silicon Valley and San Francisco chapters) and Infragard provided a fascinating array of topics and security perspectives.
Al’s presentation to IT Security professionals was titled “Pro-actively Managing web Application Abuse” and was included in the track Proactive Defense: Technologies to Overcome Hidden Threats.
When Web applications are the core of your business, protecting them from abuse is crucial. High profile Web applications can provide front-door access to critical data. Sophisticated and organized attackers with deep technology skills are increasingly successful at accessing that data, and the results can be disastrous, from non-compliance, to fraud, to competitive loss.
»Bank account fraud. Attackers devise and execute phishing scams to highjack customer accounts and perform fraudulent electronic payments
»E-commerce fraud. Attackers make fraudulent purchases, or steal credit card information. This results in a loss of brand credibility, and threatens compliance status with PCI DSS
»Data scraping. For-hire hacking teams establish automated, non-sanctioned calls to business data to power a competitive site or service (e.g. retail pricing, travel bookings)
These problems are getting more severe as attackers become more organized and sophisticated. Traditional approaches to stopping Web attacks that rely on signature based intrusion detection and anti-virus are increasingly ineffective. This is the result of the combination of two factors. First, Web applications are exposed to the public, and easily introspected by the outside world. Attackers can take the time they need to understand how they are coded and which defensive measures are in place, allowing them to avoid being profiled by varying their attacks quickly. Second, the criminal community responsible for Web attacks has evolved into a market of its own, complete with highly productized “command and control” suites for creating and managing bots – armies of compromised computers on the internet that are used to distribute, transform, and obfuscate the attack. These suites are sold online as ready-to-go, do-it-yourself attack kits. The market for these kits is extremely competitive, with market demand driving new features and innovations all the time.
To realize how advanced targeted threats can be disrupted and prevented, you need to clearly understand the nature of those threats.